Search Results

Search found 4302 results on 173 pages for 'facebook'.

Page 47/173 | < Previous Page | 43 44 45 46 47 48 49 50 51 52 53 54  | Next Page >

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • Facebook totalement hors-service cette nuit, un employé aurait dévoilé des prototypes par erreur

    Facebook totalement hors-service cette nuit, un employé aurait dévoilé des prototypes par erreur Hier soir (à partir de 22h15 heure française), Facebook a été hors service pendant près de 30 minutes. Le site n'a pourtant subi aucune attaque extérieure. En fait, il a été mis hors ligne par la firme elle-même. En cause ? Lors du passage au nouveau design des pages de marques (avec une galerie photo repensée et de nouvelles fonctionnalités de management des pages), un ingénieur de l'équipe de développement a également déployé certains prototypes internes. Ces brouillons de futurs produits de Facebook auraient dû rester secrets, et c'est pourquoi le site a été désactivé : le temps pour son staff de nettoyer...

    Read the article

  • Microsoft intègre Office à Facebook : une des nouveautés de ses Futur Social Experience Labs pour mi

    Microsoft intègre Office à Facebook Une des nouveautés de son Futur Social Experience Labs En ce moment se tient à San Francisco le salon du Web 2.0. A cette occasion, une représentante de Microsoft en a profité pour présenter deux nouveaux produits issus du Futur Social Experience Labs (alias le FUSE) de la société. La première réalisation du FUSE avait été l'intégration des Tweets dans les résultats de Bing. Cette foic-ci, le laboratoire de R&D propose un site (Docs.com) qui permet d'intégrer des documents de Microsoft Office dans Facebook. Plus précisément de permettre aux contacts Facebook d'accéder aux documents sur le modèle de la pièce joint...

    Read the article

  • Silverlight Client for Facebook updated for Silverlight 4 RC

    If you installed the Silverlight Client for Facebook, and also upgraded to the release candidate for Silverlight 4, you may have noticed it stopped working :-). NOTE: Applications compiled on Silverlight 4 beta will not work on machines with Silverlight RC runtime. This is known/expected. As with all pre-release software, this type of breaking can be expected. Weve recently updated the Facebook application, and you will have to re-install. Follow these steps: Uninstall the Silverlight Facebook...Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight. Take a look: here.

    Read the article

  • Facebook est désormais valorisé à 50 milliards de dollars, et dépasse Yahoo, eBay et Time Warner

    Facebook est désormais valorisé à 50 milliards de dollars, et dépasse Yahoo, eBay et Time Warner La valeur de Facebook vient de faire un grand bond en avant, malgré que la firme ne soit toujours pas présente en bourse du fait des réticences de son fondateur. En effet, la banque d'affaires Goldman Sachs vient d'investir 450 millions de dollars dans le site communautaire de Mark Zuckerberg. Mais ce n'est pas tout, le conglomérat russe Digital Sky Technologies a aussi apporté sa pierre à l'édifice en y injectant 50 millions de dollars. Deux opérations financières qui permettent à Facebook d'être désormais valorisé à hauteur de... 50 milliards de dollars ! L'entreprise ne cesse de croître, tout en s'appr...

    Read the article

  • Des applications fleurissent sur la toile pour gérer la confidentialité sur Facebook, afin de protég

    Mise à jour du 18.05.2010 par Katleen Des applications fleurissent sur la toile pour gérer la confidentialité sur Facebook, afin de protéger facilement ses données personnelles Avec de plus en plus de changements dans ses paramètres de confidentialité, Facebook devient un site Internet compliqué à paramétrer pour certains. En effet, le réseau social offre pas moins de 50 paramètres assortis à plus de 70 options, pour contrôler ce que le Net peut voir de vous... Pour preuve, ce graphique publié la semaine dernière par le New York Times illustrant toutes les configurations disponibles : [IMG]http://graphics8.nytimes.com/packages/images/newsgraphics/2010/0512-facebook/gif1.jpg[/IMG]...

    Read the article

  • ExcelBook Conceals Facebook Browsing in a Spreadsheet

    - by Jason Fitzpatrick
    If you can’t get enough of social media while you’re at work, ExcelBook hides your Facebook browsing inside a spreadsheet. It’s certainly not the way to win the employee of the month award, but if you’re looking for a subtle way to browse and update Facebook from your cube ExcelBook offers and Adobe Air-based Facebook interface that looks like a spreadsheet application. Hit up the link below to grab a copy. ExcelBook [BeStupidAtWork via Yahoo! News] HTG Explains: Photography with Film-Based CamerasHow to Clean Your Dirty Smartphone (Without Breaking Something)What is a Histogram, and How Can I Use it to Improve My Photos?

    Read the article

  • Securing Facebook

    - by Promather
    Probably like most of you, I am concerned about the privacy of Facebook. Some people suggested that I use the HTTPS address instead. Unfortunately, many links in the HTTPS page itself link back to HTTP. So I am wondering whether it is possible in Ubuntu to redirect any request to: http://www.facebook.com/ to https://www.facebook.com/ This way I feel safer. If you also know the solution for Windows, it might be great to share (probably as a comment to my question rather than answer, as this forum is supposed to be for Ubuntu) so that I can share it with friends.

    Read the article

  • Facebook corrige un bogue susceptible d'avoir provoqué une fuite de données de six millions d'utilisateurs

    Facebook corrige un bogue susceptible d'avoir provoqué une fuite de données de six millions d'utilisateursSi vous avez reçu ce weekend un courriel de la part de Facebook vous expliquant que votre compte a été compromis suite à un bogue, sachez que ce n'est pas un SPAM.En effet, vendredi dernier, Facebook a voulu jouer la carte de la transparence en annonçant dans un billet blog avoir été victime d'une panne logicielle qui a été à l'origine de la fuite de données de près de six millions d'utilisateurs. Download Your Information (DYI) est l'outil qui a provoqué le dysfonctionnement. Il est chargé de récupérer les adresses de courriel et numéros de téléphone des utilisateurs dans le cadre de la sécu...

    Read the article

  • Facebook abandonne HTML5 pour son application iOS, qualifiée de trop lente

    Facebook abandonne HTML5 pour son application iOS qualifiée de trop lente L'application Facebook pour iOS bien que pratique est lente, et souvent très lente même. D'après le New York Times, sur 38 000 personnes l'ayant noté, plus de 21 000 personnes n'ont accordé qu'une seule étoile à l'application, la qualifiant de lente, toujours en chargement, sujette à des crashs répétitifs, etc. Insensible à toutes ces remarques, Facebook a décidé de rendre son application plus rapide en réécrivant complètement celle-ci. Conséquence, le HTML5 qui avait été utilisé précédemment pour développer l'application autour d'une coque objective-c, afin d'utiliser la même base ...

    Read the article

  • DB structure for Twitter home/Facebook wall?

    - by mathon12
    Basically a live feed of all your friends' recent posts. In a stupid sort of approach I think I'd start by building a query like: SELECT * FROM tblposts WHERE userid=friend_id_1OR userid=friend_id_2...... and so on Where friend_id_% is the userid of a friend from your friends list. But this must be a very inefficient way of doing it, right? Is there any faster way of doing this in MySQL? Maybe some clever DB schema? (I know FB uses Hadoob but I'm not experienced enough to go that far :( )

    Read the article

  • facebook FBML,FBJS

    - by Rohit
    I want to use FBML as a canvas and would like to display a rich text editor like fckeditor or other. Can anybody out there help me out on this? e.g. to format text mainly bold,italics. Is it possible? how? I'm eager to learn more from the responder.

    Read the article

  • Facebook/FBML: How to tell if a user is a fan of the fan page

    - by Dominic Godin
    Hi, I'm working on a FBML fan page for a client. I need to perform a check to see if the current user is a fan of the page. I tried using the JavaScript API but I've found this is not compatible with FBML. I have looked through the FBML page on the developer wiki and found checks for practically everything else but no is user fan check. Any pointers in the right direction would be most appreciated. Thanks in advance.

    Read the article

  • what is the procedure followed to divide the background into squares like facebook supercity, farmvi

    - by Jeeva
    I have planned to develop a game in flex in which the users will build buildings on a plain surface. I want to divide those lands into pieces and allow the user to build the buildings on the pieces of the surface. How do i divide the land into pieces. I have seen face book application supercity, farm vilie etc. I want to develop same as that. What is the method followed to develop the squares in the background.

    Read the article

  • FaceBook Login Problem

    - by toman
    Hi All, I am for an application which extracts information from facebook search, hence i require to login facebook. i have registered my application in facebook developers site and have got api key and secret key. in my code i am getting an exception when i am trying to login. Here is my code for login to facebook: import com.facebook.api.FacebookRestClient; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpState; import org.apache.commons.httpclient.NameValuePair; import org.apache.commons.httpclient.methods.GetMethod; import org.apache.commons.httpclient.methods.PostMethod; import org.apache.commons.httpclient.params.HttpClientParams; public class FaceLogin { public FaceLogin(){ getUserID("username", "password"); } private static void getUserID(String email, String password) { String session = null; try { HttpClient http = new HttpClient(); http.setParams(new HttpClientParams()); //http.getHostConfiguration().setHost("http://www.facebook.com/"); http.setState(new HttpState()); String api_key = "****some key****"; String secret = "****some key****"; FacebookRestClient client = new FacebookRestClient(api_key, secret); client.setIsDesktop(true); String token = client.auth_createToken(); final String loginId = "http://www.facebook.com/login.php"; GetMethod get = new GetMethod(loginId + "?api_key=" + api_key + "&v=1.0&auth_token=" +token); System.out.println("Get="+get); http.executeMethod(get); PostMethod post = new PostMethod(loginId); post.addParameter(new NameValuePair("api_key", api_key)); post.addParameter(new NameValuePair("v", "1.0")); post.addParameter(new NameValuePair("auth_token", token)); post.addParameter(new NameValuePair("fbconnect","true")); post.addParameter(new NameValuePair("return_session","true")); post.addParameter(new NameValuePair("session_key_only","true")); post.addParameter(new NameValuePair("req_perms","read_stream,publish_stream")); post.addParameter(new NameValuePair("lsd","8HYdi")); post.addParameter(new NameValuePair("locale","en_US")); post.addParameter(new NameValuePair("persistent","1")); post.addParameter(new NameValuePair("email", email)); post.addParameter(new NameValuePair("pass", password)); System.out.println("Token ="+token); int postStatus = http.executeMethod(post); System.out.println("Response : " + postStatus); session = client.auth_getSession(token); // Here I am getting error System.out.println("Session string: " + session); long userid = client.users_getLoggedInUser(); System.out.println("User Id is : " + userid); } catch (Exception e) { e.printStackTrace(); } } public static void main(String k[]) { FaceLogin facebookLoginObj=new FaceLogin(); } } I am getting the following exception: org.apache.commons.httpclient.HttpMethodBase processResponseHeaders WARNING: Cookie rejected: "$Version=0; $Domain=deleted; $Path=/; $Domain=.facebook.com". Cookie name may not start with $ Response : 200 Jun 8, 2010 2:07:36 PM org.apache.commons.httpclient.HttpMethodBase processResponseHeaders WARNING: Cookie rejected: "$Version=0; $Path=deleted; $Path=/; $Domain=.facebook.com". Cookie name may not start with $ Facebook returns error code 100 com.facebook.api.FacebookException: Invalid parameter - v - 1.0 at com.facebook.api.FacebookRestClient.callMethod(FacebookRestClient.java:828) - auth_token - 004e90dc8818d5f0921d1065d24508d3 at com.facebook.api.FacebookRestClient.callMethod(FacebookRestClient.java:606) - method - facebook.auth.getSession - call_id - 1275986256796 - api_key - f7cb1e48c383ef599da9021fc4dec322 at com.facebook.api.FacebookRestClient.auth_getSession(FacebookRestClient.java:1891) at facebookcrawler.FacebookLogin.getUserID(FacebookLogin.java:81) at facebookcrawler.FacebookLogin.( - sig - 9344ec75b74a0a87bcae645046d45da8 FacebookLogin.java:24) at facebookcrawler.FaceLogin.main(FaceLogin.java:80) Here may be the problem is for creating session, i searched for all the solutions on net but could not helped me to get login. Please help me if you can suggest me some way to resolve this problem. i thanks to all your valuable suggestion.

    Read the article

  • define javascript functions on iframe facebook app inside <fb:serverfbml> tag

    - by user233486
    Hi all, How we can define JS function on inside ? I tried to load file javascript on the end tag , but I still can't call the function from javascript file. Here the FBML tag <fb:serverfbml> <script type="text/fbml"> <fb:fbml> <a href="#" id="this" onclick="do_colors(this); return false">Hello World!</a> <script src="http://absolute.path.to/your/javascript/file.js"></script> </fb:fbml> </script> </fb:serverfbml> And here the javacript function on file.js function random_int(lo, hi) { return Math.floor((Math.random() * (hi - lo)) + lo) } function do_colors(obj) { var r = random_int(0, 255), b = random_int(0, 255), g = random_int(0, 255); obj.setStyle({background: 'rgb('+[r, g, b].join(',')+')', color: 'rgb('+[r<128?r+128:r-128, g<128?g+128:g-128, b<128?b+128:b-128].join(',')+')'}); } I use rails and facebooker to develop the application Any idea or suggestion for define javascript functions? Thanks,

    Read the article

  • FQL Stream Facebook Application publish_stream

    - by Ronald Burris
    I want to create/show an activity stream of everything that has been published/commented on behalf of my application. My question is, do I need to "farm" any "post" id's or am I able to call upon everything posted into the stream via my application from it's id in a FQL statement? Thanks in advance!

    Read the article

  • Facebook Connect iPhone StreamDialog delegate dialogDidSucceed

    - by JohnPayne
    Hey. I use FBStreamDialog to let users publish on their news feed. [fbStreamDialog show]; makes the dialog view popup, the user can press cancel or submit that message. Now...my problem is that both buttons close the dialog view and call the delegate method dialogDidSucceed. How do I find out which button was pressed? Its very important for me to know, any useful advice would be reaally really nice! Thanks, John

    Read the article

  • facebook XFBML is not rendering in IE8

    - by Pablo
    I put up this test page to illustrate this issue: http://pix-all.com/fb-test.htm Every Browser i've tested on has worked but in IE8. The odd part is that IE8 doesn't even report an error, WOW, and that is something. So right now im stuck with to nothing to work on or debug. Hopefully you guys can help me out and spot what i've overlooked. Thank You in advance

    Read the article

  • upload photo at facebook via iphone

    - by yunas
    hello i am trying to upload my image from myapplication but not able to do so.... i have tried ASIFormDataRequest *theRequest = [ASIFormDataRequest requestWithURL:url]; NSString *nowTimestamp = [NSString stringWithFormat:@"%f",[[NSDate date] timeIntervalSince1970]]; [theRequest setPostValue:kApiKey forKey:@"api_key"]; [theRequest setPostValue:(float)[[NSDate date] timeIntervalSince1970] forKey:@"call_id"]; [theRequest setPostValue:@"1.0" forKey:@"v"]; [theRequest setData:[NSString stringWithString:@"abc"] forKey:@"status"]; [theRequest setPostValue:[NSString stringWithFormat:@"%lld",session1.uid] forKey:@"uid"]; NSLog(@"%lld",session1.uid); NSString *strSig = [[NSString alloc] init]; strSig = [strSig stringByAppendingString:[NSString stringWithFormat:@"@=%@",@"api_key",kApiKey]]; StrSig = [strSig stringByAppendingString:[NSString stringWithFormat:@"@=%@",@"call_id",nowTimestamp]]; strSig = [strSig stringByAppendingString:[NSString stringWithFormat:@"%@=%@",@"v",@"1.0"]]; strSig = [strSig stringByAppendingString:[NSString stringWithFormat:@"%@=%@",@"uid",[NSString stringWithFormat:@"%lld",session1.uid]]]; strSig = [strSig stringByAppendingString:kApiSecret]; [theRequest setPostValue:[self md5:strSig] forKey:@"sig"]; [theRequest setURL:url]; [theRequest setRequestMethod:@"POST"]; [theRequest setPostFormat:ASIMultipartFormDataPostFormat]; [theRequest startSynchronous]; but it says that signature is incorrect .... where i am wrong please help me.....

    Read the article

  • Creating a Facebook session for getting page info

    - by Marty Haught
    I am trying to get info on a page that my user is admin for. This user has granted my fb_connect app offline access. I have saved the session_key that allows offline access (it has the user's id in it). I am able to publish to this fan page with this session key. But when I try to access the page's info I get an SessionExpired error. This doesn't make sense. Look at the code and output below: p is is a 'profile' object that holds the three pieces of relevant fb data (user_id, session_key and page id) fb_session = Facebooker::Session.create = # fb_session.secure_with!(p.fb_session_key, p.fb_user_id, 0) = nil fb_session.user.has_permission?("offline_access") = true fb_session.user.has_permission?("publish_stream") = true fb_session.user.has_permission?("read_stream") = true pages = fb_session.fql_query("select fan_count from page where page_id = #{p.fb_page_id}") Facebooker::Session::SessionExpired: Session key invalid or no longer valid ... pages = fb_session.pages(:fields = {:page_ids = p.fb_page_id}) Facebooker::Session::SessionExpired: Session key invalid or no longer valid ... pages = Facebooker::Session.create.fql_query("select fan_count from page where page_id = #{p.fb_page_id}") = [#] Perhaps I'm not creating the session right or maybe offline access doesn't give me access to the user's page even though I have permissions to push to it. As you can see when I just use an anon session I'm able to get the fan count, which I'm guessing is publicly available. Does anyone have an idea on this?

    Read the article

  • what is and how to Whitelisted desktop facebook

    - by user63898
    hello all my desktop application that invoking FQL query's , for the first time im loged in as different user ( not the developer user ) and im getting this error massage : "error_code":606 : xxxx is not permitted to requested mailbox permissions from xxxxxx from reading i know i need to Whitelist my desktop app , but now one tells how ??

    Read the article

< Previous Page | 43 44 45 46 47 48 49 50 51 52 53 54  | Next Page >